EasyPeasy

Target IP: 10.10.166.70


Reconnaissance

5860f0e70163a8882c3657188e4c1a61.png
Scanning the machine shows there are three TCP ports open on the target machine. There are HTTP applications on port 80 and 65524. There is also a SSH application on port 6498.


Enumeration

Port 80: HTTP
06a018d4cbe59e34cebdcae3c91d2ebd.png
Browsing to this port displays the default nginx application webpage, as shown above. Viewing the source-code of this page does not contain anything useful.

8f5c9a300316a1187fa9a22bdf6fe299.png
Doing a directory search with the command gobuster dir -u http://10.10.166.70/ -w /usr/share/wordlists/dirb/big.txt -x php,html,txt against this port displays the interesting /hidden directory above. I browsed to /robots.txt but I did not find anything useful.

a2abfa753d630cfc656844eb0bd8b38e.png
Browsing to /hidden displays the webpage above. The source-code of this webpage does not contain anything useful.

d30209f2beb16bfc62e57fe3b80ede56.png
Doing a directory search with the command gobuster dir -u http://10.10.166.70/hidden/ -w /usr/share/wordlists/dirb/big.txt -x php,html,txt against /hidden shows another hidden directory called /whatever.

978fa75d9eaa6a60de8f14e00f805a74.png
Browsing to /hidden/whatever shows the webpage above.

f1967bf0ece69183ec76e9fb97c8a4f3.png
The source-code of this page contains the base64 string shown above.

f9b000d7090f89636b0de862b77d8196.png
Decoding this outputs the first flag. Performing a directory search against /hidden/whatever did not lead to anything useful. Time to enumerate the other ports.

Port 65524: HTTP

a5d448c3e4ad74a6ba7d678d9c7ef34d.png
Browsing to this application displays the default Apache webpage as shown above.

b2236cc4c7ab8ec12655cccb027dbce9.png
1026330dea2f053a91a57d8bf055efbe.png
However, the source-code contains hidden strings as shown above. The string ba....:ObsJmP173N2X6dOrAgEAL0Vu provides me hint that the encoding is completed using some base.

06bd34b184a6755aae2b3c4be950f074.png
However, I obtained the string /n0th1ng3ls3m4tt3r after decoding the string ObsJmP173N2X6dOrAgEAL0Vu from base62. This looks like a directory. Before browsing to this directory, I wish to enumerate further. The flag3 flag{9fdafbd64c47471a8f54cd3fc64cd312} is also shown above.

82b6e8827f51047ccf37883682810cc0.png
Running a directory search with the command gobuster dir -u http://10.10.166.70:65524/ -w /usr/share/wordlists/dirb/big.txt -x php,html,txt shows the interesting directories above for this application. The /robots.txt sounds juicy.

c64bd4b9d336c56451216a1ff2308deb.png
Browsing to /robots.txt shows the content above. The User-Agent header field contains an MD5 string! I tried the command curl --user-agent 'a18672860d0510e5ab6699730763b250' http://10.10.166.70:65524/robots.txt but I did not obtain any other hidden directories. However, decrypting this MD5 string outputs the string flag{1m_s3c0nd_fl4g}.

bed560e3983102442c40e06f44266f78.png
After enumerating for some time and finding nothing, I browsed to /n0th1ng3ls3m4tt3r. The webpage above is shown for this directory. The string 940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81 is interesting.

713f476e2d256ea3b188daad5b6065f2.png
Using the website md5hashing, I obtained the result of the hash above. This hash decodes to the string mypasswordforthatjob. Is this a password that can be used to extract data from an image, possibly the binary data image?

9ad8d1df9cf0145f9b5d5899dfe58150.png
And bingo! I downloaded the binary image located at /n0th1ng3ls3m4tt3r and used the password mypasswordforthatjob to extract the hidden data secrettext.txt. The content of this file is shown above. The username is boring, but the password is in binary (aka, base2). I can decode this using Cyberchef.

0730393b2886245d506b2cf5f9109f05.png
And using Cyberchef, I obtained the password iconvertedmypasswordtobinary. Now I have the credential boring:iconvertedmypasswordtobinary.


Exploitation

a7a461a73fec39339621da53c1ccfb40.png
And using the credential boring:iconvertedmypasswordtobinary, I gained access to the SSH application on port 6498 on the target machine. Now I have access to the target machine!


Privilege Escalation

eb474aeb8184fc6fceb6d7b50ddd2530.png
The interesting cronjob .mysecretcronjob.sh is run as root, as shown above.

d9a82508184d3a1825c68c9bedc07630.png
The content of this .mysecretcronjob.sh is shown above. Since this user boring has write privileges over this script, I can put my reverse shell inside it.

022f99fc569118e11d6ff878dc776ee5.png
GG. I put my bash reverse shell inside the cronjob. I listened on port 8443 and received a reverse shell connection with the session as root. Now I have root access on the target machine.


Flags

08d09a15658d71ca65b4a883a8b45e55.png
The user.txt is shown above. But the content of this flag is rotated.

c115e10c9be47671a77410fe3ed120ba.png
The ciphertext is encoded using Caesar Cipher. Using the key of 20, I obtained the plaintext flag flag{n0wits33msn0rm4l}.

3ec79e86f3e23eec80859e322a68f29d.png
The .root.txt flag which is located at /root.